configuring devices behind the Public Routed Subinterface

It is a counter-intuitive configuration, so after trial and error for the past few hours, I've figured out how to do it. The directions are:

Open a web browser to your homeportal (default is 192.168.1.254)

Have the password for your 2Wire gateway handy

1. Click the Home Network icon and then click Advanced Settings

2. Enable the Public Routed Subinterface

3. Enter the public routable IP address that AT&T assigns you as the gateway into the Router Address box, and the Subnet Mask that they've assigned you in the Subnet Mask box.

4. To set up your first device, connect it to the 2Wire Home Portal, and set it up to use DHCP. The device will take a private address from the 2Wire.

5. Click the box on the right side of the Advanced Settings window named "Edit Address Allocation"

6. Find the device that you want to put the Public IP Address onto.

7. Uncheck the "Firewall Protection" box to turn off the inbound firewall to that device (if you wish, you can leave it checked and only open the ports that you need to use in the Firewall configuration)

9. In the WAN IP Mapping, choose the address that you want to use from the dropdown box

10. Click "Save" at the bottom of the page. When the page refreshes, you'll see that your device needs a "DHCP Renew"

11. Go back to the device that you want to connect, and refresh its DHCP address (on a Linksys or Netgear router, you can just click Save Settings or Apply on the Setup window to refresh the DHCP address). The results of the DHCP renew can be seen on the Status page of either device, or on a Windows PC, using the "ipconfig /all" command in a CMD window.

12. On the 2Wire Home Portal, click Cancel to return you to the Home Network > Advanced Settings window, and you'll see that your device has taken the new public IP address. If you click on the "Edit Address Allocation" again, you'll see that your Device Status is "Connected DHCP"

13. After doing this, I went back to my device and set the IP address in the setup to a static IP.

Adding a second device is a basic repeat of the procedure. I'm having problems right now adding a 3rd device, which may require that I restart the Home Portal - I'll do that later tonight and report back on the status of the 3rd device.

Re: configuring devices behind the Public Routed Subinterface

That's awesome. It's nice to know that static IPs are available, and that it works with publically routable IPs. This enables using enterprise-class routers for doing things that won't work behind NAT, like IPSec VPN tunnels.

Re: configuring devices behind the Public Routed Subinterface

How do you do this without DHCP? We had UVerse installed with 32 IP addresses for a client install and the technician had no idea how to make it work. I need my firewall behind the router to have all the IP addresses assigned to it, and obviously it cannot DHCP all of them from the RG. The installation tech had no idea how to do it. She didn't even know what a 66-block was and we had to terminate the pairs for her.

Re: configuring devices behind the Public Routed Subinterface

I have the same need. The devices I have behind my RG can't do DHCP (firewalls, etc). Right now I don't see another option other than plugging in 14 random PCs into it so an entry will show up in the RG web interface and allow me to turn the firewall off.

If I don't do this, and instead just statically configure a device with one of my assigned IP addresses behind the RG I can make outbound connections, but the RGs firewall drops any incoming connections. That's unacceptable. I have a business u-verse line, with static IPs. I don't want the RG stepping on my connections.

There needs to be an easier way to turn the firewall off for these static IP plans. I can't imagine how you would do this with larger blocks. Seriously annoying!

Has anyone figured out how to setup the static IP addresses properly without resorting to DHCP?

Re: configuring devices behind the Public Routed Subinterface

I have run into a similar problem and have tried using this method but get stopped at enabling the Public Routed Subinterface. My company ordered a block of 8 ips (5 useable). My gateway does not have the gateway ip that I ws told is part of our block. I called tech support because on our previouse dsl connection the gateway inherited the gateway ip of the block we had, and I though this was a problem. Rest assured they told me we do have the specified block and the gateway gets a different ip regardless of our block. Long story short I used the above dirctions and when I enter the ip for the gateway I was given for our block and then the subnet (255.255.255.248) it says "The manually configured public routed subinterface is not valid. " I changed to subnet to 255.255.255.0 and was able to apply the setting, but I know this is not my subnet. I continued with the directions and when I got to number 9 I selected the public ip hit save and got an error saying "invalid address assignment". I tried again and same problem. Is this a problem with the gateway, att, or with something Im doing? Any help would be really appreciated since our office needs to get our email server back up asap. Thank You

Re: configuring devices behind the Public Routed Subinterface

From the "Firewall Settings" page (this is a "radio button option at the bottom of the page):

"Allow all applications (DMZplus mode) – Set the selected computer in DMZplus mode. All inbound traffic, except traffic which has been specifically assigned to another computer using the “Allow individual applications” feature, will automatically be directed to this computer. The DMZplus-enabled computer is less secure because all unassigned firewall ports are opened for that computer.

Note: Once DMZplus mode is selected and you click DONE, the system will issue a new IP address to the selected computer. The computer must be set to DHCP mode to receive the new IP address from the system, and you must reboot the computer. If you are changing DMZplus mode from one computer to another computer, you must reboot both computers."

They say computer, but, of course, it can be any DHCP-enabled device.

Even though the "real" outside gateway address is different than that block you were issued, the addresses in the block you were issued are (should be) in the routing table on the provider side (like "get to this block of addresses (the block of public IPs), via this address" (which it the outside address of the RG).

Once you are "inside" your firewall/gateway/border device, any of the addresses in your public block should be valid for whatever you wish to do with them (as long as the port has not been assigned in the RG's port forwarding table), at least that's the way I'm reading it.

It does sound like you'd need one extra device, so the NAT from RG{outside} to FW{outside} gets you to your block, then the assigned publics would be available for whatever further translation you need (i.e., one address for Web, one for email, one for VPN ...). So something like a traditional "choke" router or straight-up firewall feeding the "outside" interface of your "real" router would fit the bill.

Your other (probably more normal) setting would be under the "Advanced Settings" button under "Home Network" tab. At the lower left is a box with a checkbox and config fields for "Public Routed Subinterface" where you specify the address and block.

They cover several versions of firmware, but I think you want the info provided from ~"2b" on down.

That link came from the 'help" button at the topright of the "Advanced Settings" button under the "Home Network" tab, then entering "Public Routed Subnet" in the search bar at the top of the 2Wire help screen.

Good Luck

Scott

Employee Contributor*

*I am an AT&T employee and the postings on this site are my own and don't necessarily represent AT&T's position, strategies or opinions.

Re: configuring devices behind the Public Routed Subinterface

fleish wrote:I'm having problems with this also. No matter what I do (even if I make no changes to the address allocation page), when I hit submit I get the "Invalid address assignment" error.

What settings are you trying to add / change?

You may first have to power cycle either the RG, the attached device, or both between steps. The attached device will not get it's proper address assignment (to the device's WAN port) won't happen until you restart the device (it has to be DHCP enabled, and the RG will give it the address of its outside/WAN port).

Employee Contributor*

*I am an AT&T employee and the postings on this site are my own and don't necessarily represent AT&T's position, strategies or opinions.

Re: configuring devices behind the Public Routed Subinterface

"What settings are you trying to add / change?"

I tried both changing a device from a private IP to a public. I also tried changing nothing & just hitting submit. Why would the device or the Uverse GW need to be power cycled? One thing I've been very impressed with is the Uverse GW's "reboot resiliency" compared to the more common Linksys home GW products. That is to say for many changes I've made to the Uverse GW a reboot was not required, while those same changes on a Linksys GW would trigger a reboot. It doesn't make sense technically that a reboot would be required, and if one really was then you'd think the Uverse GW's OS/firmware would perform one. In this case, I suspect something else is wrong because even without making any changes, submitting this page throws the same error.

The more I try to work with this service the more I want to throw it out in favor of something else. Spent 55 minutes on hold last night for tech support on my way home & then AT&T Wireless decided to drop my call. Not good.

Re: configuring devices behind the Public Routed Subinterface

Once you configure the target device as the DMZ device in the RG's firewall config, the RG uses the IP address you give it as pull the MAC of the device. A flag is set in the RG to provide that MAC with the same IP address as the external interface of the RG.

The hook is that if you don't reboot the DMZ device within a few minutes, the configuration reverts (i.e., it goes back to getting another internal address. The DMZ device also needs to be set for DHCP on its external interface (which should be plugged into one of the RG's Ethernet ports).

If the DMZ device is not set for DHCP, if the DMZ device is not power cycled (or otherwise inspired to ask for a DHCP address), if you wait too long, if the RG firewall is not configured for a DMZ device ..... then it won't work. There are probably a few more "ifs" but these are the most-often missed.

Good Luck

Employee Contributor*

*I am an AT&T employee and the postings on this site are my own and don't necessarily represent AT&T's position, strategies or opinions.

Re: configuring devices behind the Public Routed Subinterface

You don't have to reboot the device or the RG.

The RGs broadband IP address is "shared" with the DMZplus host. You can just disable and enable the NIC. For many users it is just easier to restart the computer then figure out how to disable and then enable the NIC. For the DMZplus feature to provide the public IP address to the client configured in the DMZplus, the client needs to get the public IP.

Re: configuring devices behind the Public Routed Subinterface

I think we're mixing topics now. I'm not talking about using "DMZplus". I'm talking about telling the Uverse GW to hand out a public address to a DHCP client & put it on the public segment rather than the private one.

Re: configuring devices behind the Public Routed Subinterface

No, recent posts have been on the basic changes that require a restart or not.

Could you explain your configuration in a lttle more detail? For example how many Public Routable IPs do you have and why do you want to use DHCP to provide the public IP to a client device?

The normal purpose of public routable IP addresses is to have a known public IP address assigned to a specific host. The RG will work very well if you just configure the "Public Routed Subinteface" http://192.168.1.254/xslt?PAGE=J09&THISPAGE=J10&NEXTPAGE=J09 with the information from U-verse. Now you can just change the settings in your host TCP/IP configuration to use a vaild IP address in that range and use the exact same subnet mask. You will need to disable / enable your host adapter or as has been mentioned above, just restart the PC or MAC.

Yes the RG can manage / provide pubic routed IPs via DHCP here: http://192.168.1.254/xslt?PAGE=J10&THISPAGE=J09&NEXTPAGE=J10 To use this feature you have to already have the "Public Routed Subinterface" step completed and you hosts need to be on and currently have an address if the RGs private IPs DHCP range. You just use the "pulldown" to map the host to one of the available public IPs in the pulldown list. If the only entry in the list ends with .0 then you don't have the Public Routed Subinterface configured. Also if you manually configure your host IP before this step, it will already be set and that IP address will not appear in the pulldown list.

The error message that you are reporting is on what page and what steps lead you to the action that is producing the error?

Re: configuring devices behind the Public Routed Subinterface

"Could you explain your configuration in a lttle more detail? For example how many Public Routable IPs do you have and why do you want to use DHCP to provide the public IP to a client device?"

It's pretty simple really. Currently I have a client that has a static, private IP address. I have a /29 of public routable IPs. I don't want to use DHCP to provide the public IP to the client device. However, I've tried assigning it a static address out of the public range and that fails just the same.

"The error message that you are reporting is on what page and what steps lead you to the action that is producing the error?"

It's on the edit address allocation page. To reproduce it I only need to hit submit, without even changing anything.

Since I've not gotten it to work before, how does it do it? Does it just setup a 1:1 NAT and still assign the "client" a private IP address? Or does it actually hand the client a public IP?